I have been reading up on MiTM attacks, and the prevention of them using public key certificates. Recently I learnt about Diffie-Hellman Key Exchange with Authentication, and how it uses signed parameters for preventing MiTM.

I'm not fully clear on the process used with the protocol (as listed in RFC5246, appendix-F.1.1.3) with respect to authentication. I understand how Diffie-Hellman is vulnerable to such attacks when used without it, but how exactly does it prevent these attacks?

I understand that the messages are signed, so the attacker Mallory can't modify messages between Alice and Bob. Why is Mallory not able to forward say, Bob's certificate through to Alice, including any of Bob's signed parameters, and eventually intercept the negotiated session key through relaying all messages between the two parties?

Is it simply because Alice and Bob both generate their own secret keys, which means the session key isn't recoverable? (Mallory is more like an eavesdropper/Eve in this scenario?)
Additionally, does this mean if Mallory were able to recover the private key somehow, that he/she could compute 2 separate key exchanges and modify traffic as before with no authentication?

Lastly, say Mallory manages to compromise the private key and can intercept and modify traffic. Without changing the certificate/key, is there any other way to authenticate Bob in this scenario, or is this impossible?

1 Answer
1

Firstly, PKI makes use of a private key and a public key. The private key is known only to the user, while the public key is communicated securely via the use of certificates. To provide authentication and non-repudiation, users may sign a message with their private keys and obtain a digital signature. Any other users can verify that the signed signature is authentic by "decrypting" it with the claimed user's public keys.

So to answer your questions:

Mallory is unable to intercept the negotiated session key due to the Diffie–Hellman problem whereby it is hard to compute $g^{ab}$ given $g^a$ and $g^b$. He is unable to impersonate Bob if he does not prossess Bob's private keys.

Yes, your are correct. Mallory can only eavesdrop the encrypted ciphertext and is unable to learn its contents.

No, Mallory is unable to obtain the session key (of the communication between Alice and Bob) even if he has knowledge of Bob's private keys due to the Diffie–Hellman problem. Mallory is able to impersonate Bob when communicating to Alice but unable to impersonate Alice with communicating to Bob. However, if Mallory has access to both Alice and Bob's private keys then a MiTM attack is possible.

No, Bob has to change his public-private key pair including his certificate unless there is 2-factor authentication in place (e.g. via voice/text message or tokens).